From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 2 Oct 2024 17:06:59 +0000 (+0200)
Subject: libcli/auth: remember client_requested_flags and auth_time in netlogon_creds_server_i... 
X-Git-Tag: samba-4.21.2~55
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c6bfa4dbb257ab261acad6f5d0c811378701ac73;p=thirdparty%2Fsamba.git

libcli/auth: remember client_requested_flags and auth_time in netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit dfbc5e5a19420311eac3db5ede1c665a9198395d)
---

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 07b146579f6..59db4bc28ea 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -657,11 +657,14 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
 								  const struct samr_Password *machine_password,
 								  const struct netr_Credential *credentials_in,
 								  struct netr_Credential *credentials_out,
+								  uint32_t client_requested_flags,
 								  const struct dom_sid *client_sid,
 								  uint32_t negotiate_flags)
 {
 
 	struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
+	struct timeval tv = timeval_current();
+	NTTIME now = timeval_to_nttime(&tv);
 	NTSTATUS status;
 	bool ok;
 
@@ -707,6 +710,8 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
 		talloc_free(creds);
 		return NULL;
 	}
+	creds->ex->client_requested_flags = client_requested_flags;
+	creds->ex->auth_time = now;
 	creds->ex->client_sid = *client_sid;
 
 	if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index edc3284d32c..3094292657a 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -69,6 +69,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
 								  const struct samr_Password *machine_password,
 								  const struct netr_Credential *credentials_in,
 								  struct netr_Credential *credentials_out,
+								  uint32_t client_requested_flags,
 								  const struct dom_sid *client_sid,
 								  uint32_t negotiate_flags);
 NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
diff --git a/librpc/idl/schannel.idl b/librpc/idl/schannel.idl
index ad296f48d84..619e9e5591c 100644
--- a/librpc/idl/schannel.idl
+++ b/librpc/idl/schannel.idl
@@ -22,6 +22,8 @@ interface schannel
 		 * On the server we use CLEAR_IF_FIRST,
 		 * so db layout changes don't matter there.
 		 */
+		netr_NegotiateFlags client_requested_flags;
+		NTTIME auth_time;
 		dom_sid client_sid;
 	} netlogon_creds_CredentialState_extra_info;
 
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 936d3214173..ad1d5dc33d7 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
 					   &mach_pwd,
 					   r->in.credentials,
 					   r->out.return_credentials,
+					   in_neg_flags,
 					   &sid,
 					   neg_flags);
 	if (!creds) {
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 5b7ca45ba42..01cc3611155 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -422,6 +422,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 		"whenCreated",
 		NULL};
 	uint32_t server_flags = 0;
+	uint32_t client_flags = 0;
 	uint32_t negotiate_flags = 0;
 
 	ZERO_STRUCTP(r->out.return_credentials);
@@ -515,7 +516,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 	 * NETLOGON_NEG_STRONG_KEYS from server_flags...
 	 */
 
-	negotiate_flags = *r->in.negotiate_flags & server_flags;
+	client_flags = *r->in.negotiate_flags;
+	negotiate_flags = client_flags & server_flags;
 
 	switch (r->in.secure_channel_type) {
 	case SEC_CHAN_WKSTA:
@@ -792,6 +794,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 					   curNtHash,
 					   r->in.credentials,
 					   r->out.return_credentials,
+					   client_flags,
 					   *sid,
 					   negotiate_flags);
 	if (creds == NULL && prevNtHash != NULL) {
@@ -810,6 +813,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 						   prevNtHash,
 						   r->in.credentials,
 						   r->out.return_credentials,
+						   client_flags,
 						   *sid,
 						   negotiate_flags);
 	}